Blogger alleges Facebook has re-activated tracker cookies

4 Oct 2011

Data captured from a Facebook user showing machine identification and association users

Nik Cubrilovic, the Australian blogger who sensationally revealed last week that Facebook cookies were tracking users even when they weren’t using the social network, has just claimed the cookies are back working on third-party sites.

Cubrilovic revealed that cookies from Facebook contained unique identifiers. Facebook admitted the situation existed but said it fixed the problem. It said that even while the cookies are still in place, they no longer track users’ activity once they’re logged out.

However, Cubrilovic says the cookies’ tracking code has been re-activated on certain third-party websites he and his colleagues have tested.

Cubrilovic wrote in his blog: “In May of this year the Wall Street Journal reported that Facebook Like buttons and other website widgets were setting cookies on visiting browsers. This cookie could then be read later and used to track the user across different web properties and back to the Facebook site. The cookie was being set even if the user had never been to the Facebook site, and even if they didn’t click a ‘Like’ or ‘share’ button.

“As a result of that report, Ashkan Soltani filed a bug with Facebook, which was fixed, and the cookie in question – datr – was removed and was no longer being set for logged in or logged out users when they visited a page integrating Facebook.

“Today, that cookie is back. It is being set by all the third-party sites that we tested.”

Cubrilovic says Facebook has claimed that the cookies are in place to help it identify suspicious activity and prevent multiple spam accounts, but said it did not involve social plug-ins. However, tests show it is back working on third-party sites.

“We believe that the identifier used to associate each user with the machine ID is the datr cookie. The cookie referred to in the user data matches the format and the length of the datr cookie.

Ashkan has again submitted a bug report to Facebook about the datr cookie. We hope it is disabled again promptly. If this cookie was re-enabled accidentally, it would be good to know how such a thing can happen. If it was enabled intentionally, despite all previous statements about third-party cookies being set, then a statement on why would be appropriate,” Cubrilovic stated.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com